House Democrats Skeptical of Data Sharing in Cybersecurity Bill

Dec. 6 (Bloomberg) -- U.S. House legislation calling for
companies and the government to share data on hacker threats
needs to be better defined to protect consumer privacy,
Democratic lawmakers and cybersecurity specialists said.

The draft measure’s provision creating a quasi-governmental
information-sharing organization should be tailored to avoid
overlap with work already performed by the Homeland Security
Department, Representative Yvette Clarke, a New York Democrat,
said today at a House subcommittee hearing.

Lawmakers need “to explore the real-life implications of
such a body and its actions, and how it would affect the
department’s ability to enhance cybersecurity for our government
agencies,” said Clarke, the senior Democrat on the House
cybersecurity subcommittee, which held the hearing.

Data breaches this year at Sony Corp., Citigroup Inc. and
Lockheed Martin Corp. sharpened government scrutiny of U.S.
network defenses. The bill discussed today is one of several
measures circulating in Congress aimed at safeguarding systems
at companies and U.S. agencies that operate financial networks,
power plants and telecommunications networks.

The information-sharing organization envisioned under the
bill would be overseen by a board that includes officials from
federal agencies, civil liberties groups and companies that own
or operate critical infrastructure such as financial networks or
utilities.

The measure, backed by Representative Dan Lungren, a
California Republican and subcommittee chairman, doesn’t name
participating agencies or specify a role for the Homeland
Security Department.

Expand Existing Ties

Encouraging the government to “share information is a
strong step in the right direction,” Cheri McGuire, vice
president of global government affairs and cybersecurity policy
for Symantec Corp., a Mountain View, California-based computer
security provider, said during the hearing.

Companies that sell cybersecurity services would be more
likely to support the clearinghouse by building the new
organization on existing ties between the government and private
sector, McGuire said. She cited the councils designated by the
Homeland Security Department to work in concert with the
government on protecting critical infrastructure.

“Questions remain about how we will continue to utilize
the existing entities under the proposed framework,” said
McGuire, who is chairwoman of the department’s council for
information-technology companies. “This is important given the
significant time and resources that companies have invested.”

Privacy Protections

Stronger privacy protections should be added to the bill,
including clear definitions of the kinds of threat information
private companies share with the government, said Gregory
Nojeim, senior counsel at the Center for Democracy and
Technology, a nonprofit based in San Francisco that supports
innovative technology with strong privacy safeguards.

Nojeim urged lawmakers to restrict the government to using
threat information only for improving cybersecurity, and
prohibit its use for law enforcement purposes.

Lungren said in an interview after the hearing that he
would incorporate more privacy protections in the bill based on
Nojeim’s testimony and clarify that the clearinghouse would be
civilian run. He said he plans to formally introduce the bill
next week and bring it for a vote by the panel in January.

House Republican leaders haven’t decided when put any of
their bills to a final vote, while Senate Majority Leader Harry
Reid, a Nevada Democrat, said he plans to move on a
comprehensive cybersecurity measure early next year.